Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   curl Vendors:
(Oracle Issues Fix for Oracle Linux) curl FTP Pathname Heap Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1042073
SecurityTracker URL:
CVE Reference:   CVE-2018-1000120   (Links to External Site)
Date:  Nov 12 2018
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.12.3 - 7.58.0
Description:   A vulnerability was reported in curl. A remote user can execute arbitrary code on the target system.

A remote user that can control the paths that curl uses for FTP can create specially crafted path names containing the control characters '%00' to trigger a heap overflow and potentially execute arbitrary code on the target system.

Applications configured with '--ftp-method singlecwd' or the libcurl alternative 'CURLOPT_FTP_FILEMETHOD' are affected.

The vendor was notified on January 29, 2018.

Duy Phan Thanh reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   Oracle has issued a fix.

The Oracle Linux advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Mar 14 2018 curl FTP Pathname Heap Overflow Lets Remote Users Execute Arbitrary Code

 Source Message Contents

Subject:  [El-errata] ELSA-2018-3157 Moderate: Oracle Linux 7 curl and nss-pem security and bug fix update

Oracle Linux Security Advisory ELSA-2018-3157

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- require a new enough version of nss-pem to avoid regression in yum 

- remove dead code, detected by Coverity Analysis
- remove unused variable, detected by GCC and Clang

- make curl --speed-limit work with TFTP (#1584750)

- fix RTSP bad headers buffer over-read (CVE-2018-1000301)
- fix FTP path trickery leads to NIL byte out of bounds write 
- fix LDAP NULL pointer dereference (CVE-2018-1000121)
- fix RTSP RTP buffer over-read (CVE-2018-1000122)
- http: prevent custom Authorization headers in redirects (CVE-2018-1000007)
- doc: --tlsauthtype works only if built with TLS-SRP support (#1542256)
- update certificates in the test-suite because they expire soon (#1572723)

- make NSS deallocate PKCS #11 objects early enough (#1510247)

- update object ID while reusing a certificate (#1610998)

El-errata mailing list

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC